Application Layer Firewalls

Circuit-level firewalls are ok but if you want to make your network more secure these firewalls will not be enough for you. Better line of defense is to use new kind of firewall that are making deeper packet analyze, application layer firewalls. Application layer firewalls, also called application gateways or proxy firewalls. These firewalls are filtering traffic at 3, 4, 5, 7 OSI layer.

Application layer firewalls may have proxy servers or specialized application software added. The role of Proxy service is to manage traffic through a firewall for some services like FTP.

The proxy services are different for every protocol they are forwarding. They can also increase possibility of access control, data validation and logging of data transfer. Proxy firewalls are in the middle between networks and they decide which communication will have approval to proceed towards other network.

In a configuration with proxy firewalls, there is no connection between outside and inside network. If we speak about LAN connected to the internet, proxy server provides the only visible IP address on the Internet. If some user od client is trying to submit some application layer requests they are all connected to the proxy server first. Proxy will watch every request end filter them or even change some requests. The proxy server also copies incoming packets and then changes the source address to hide the internal address before it sends the packet back to the destination address.

Why Application Layer Firewalls?

To protect the private network we use proxy server that controls and monitors outbound traffic. The whole access to the network is managed by the proxy server who establishes the session state and makes the user authentication.

Application layer firewalls are responsible for filtering at 3, 4, 5, 7 layer. Because they analyze the application layer headers, most firewall control and filtering is performed actually in the software.

If you put the a firewall at the network layer you are able to control much more information from data. Depending of what Application layer firewall you are using, application support can be very different. There are different Application layer firewalls that are supporting limited number of applications, and others are made to support only a single application. Normally, application layer firewalls are made to control applications as e-mail, FTP, Usenet news, web services, DNS, Telnet and so on.

Advantages offered by Application Layer Firewalls

Authenticate individuals

It’s not a device authentication but individual user authentication. In normal circumstances connection requests are authenticated before traffic is allowed to go inside oroutside from the resource. In that way you are making authentication of user requesting the connection instead of authenticating the device.

It’s more difficult to spoof and make DoS attacks

Application layer firewalls will be able to help in the prevention of most spoofing attacks. DoS attacks will be limited to the application firewall itself. Application firewalls can detect DoS attacks and reduce the load of your internal resources.

Can monitor and filter application data

When you authenticate and authorize the user, you can use individual user information to allow or disallow some commands or functions that he is allowed to perform.You can basically monitor all data in some connection. That way you can mitigate Application attacks like buffer overflow attempts, unauthorized access, etc.

Detailed logging solution

Detailed logs about what the individual is sending across a connection can help you to monitor network sanity. This will allow you to track new types of attacks by monitoring what the hacker is doing.Logging can track for you all resource accessing and bandwidth allocation per user.

Working with Application Layer Firewalls

Application level proxy firewalls have a job to allow or deny connections from inside the network out to the internet and also permit and deny communications that are sourced from the internet and directed to our inside local network. They are placed in the application layer for each type of service that they want to allow (like HTTP for example). Sometimes proxy server will block all incoming connections from internet to our local network and allow only to our local users to go out to the internet. In that case, the only traffic that they are allowing to pass in the inside of the network from the internet is the traffic that is reply to local user query. It will allow only connections that are initiated from the inside of the network to come back in.

In proxy configuration, the application layer firewall has normally two network interfaces. One is used for the client connections, and the other is used to access the website from the Internet. By standing in the middle between the internal and external network, application proxy filters the trusted from untrusted network connections either physically or logically.

Let’s examine how this works:

The proxy server takes the request from inside the network for accessing some webpage.

The proxy server checks the user base on the rules applied to it.

It uses the Internet connection to load the requested website. In that action it forwards only Layer 3 and Layer 4 packets that match the firewall rules.

When returning content to the requesting client, proxy server will forwards only Layer 5 and Layer 7 traffic and content that the server allows.

Application layer firewalls are made to enable the highest level of filtering for particular protocol. Proxy server slows down the network because there is significant amount of information that he must analyze.

Application Firewall Limitations

There is a big issue with application firewall and that is throughput limitation. They can also full up a lot of disk space by writing many logs.

There are two solutions:

Use a Context Transfer Protocol (CXTP)

Monitoring only some particular applications

By using a CXTP, you perform authentication and authorization and then you don’t analyze the whole connection. This improves performance but without monitoring the ability to have alerts of new attack is impossible. In the second solution, you limit the application layer firewall to processing only particular things on the network like e-mail or Telnet.

You can do even more by processing only connections to specific internal resources like servers.

The downside is a security weakness that enables the attacker to take the ownership of a non-secure device and from there attach every machine in the local network. Another thing is that the application layer firewall is not supporting all application that exists today. For other applications there is no possibility to filter traffic with application layer connection.

Some application layer firewalls are not able to function without client side software installed. They use this software to make authentication process and other data gathering. This can limit scalability if you need to install this software to many user computers and may create management problems if support for thousands of clients is required.

Application Layer Firewalls was last modified: August 9th, 2012 by Valter Popeskic